[jira] [Resolved] (FELIX-6104) Windows Server 2019
[ https://issues.apache.org/jira/browse/FELIX-6104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] mengln resolved FELIX-6104. --- Resolution: Fixed > Windows Server 2019 > --- > > Key: FELIX-6104 > URL: https://issues.apache.org/jira/browse/FELIX-6104 > Project: Felix > Issue Type: Wish >Reporter: mengln >Priority: Major > > Does Windows Server 2019 support the following products: > Felix Bundle Repository 1.6.6 > Felix configAdmin 1.6.0 > Felix FileInstall 3.2.8 > Felix Framework 4.2.1 > Felix Framework(org.osgi/org.osgi.core) 5.0.0 > Felix GoGo Runtime 0.10.0 > Felix Metatype 1.0.10 > Felix Webconsole Plugin 1.0.0 > Felix Webconsole Plugin Event 1.1.0 > Service OBR 1.0.2 > Is the other version supported? > Can you tell me, thank you very much. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (FELIX-6104) Windows Server 2019
[ https://issues.apache.org/jira/browse/FELIX-6104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] mengln closed FELIX-6104. - > Windows Server 2019 > --- > > Key: FELIX-6104 > URL: https://issues.apache.org/jira/browse/FELIX-6104 > Project: Felix > Issue Type: Wish >Reporter: mengln >Priority: Major > > Does Windows Server 2019 support the following products: > Felix Bundle Repository 1.6.6 > Felix configAdmin 1.6.0 > Felix FileInstall 3.2.8 > Felix Framework 4.2.1 > Felix Framework(org.osgi/org.osgi.core) 5.0.0 > Felix GoGo Runtime 0.10.0 > Felix Metatype 1.0.10 > Felix Webconsole Plugin 1.0.0 > Felix Webconsole Plugin Event 1.1.0 > Service OBR 1.0.2 > Is the other version supported? > Can you tell me, thank you very much. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (FELIX-6127) escape nameHint for configuration listing
[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ashok Kumar updated FELIX-6127:
---
Affects Version/s: webconsole-4.3.8
> escape nameHint for configuration listing
> --
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
> Components: Web Console
>Affects Versions: webconsole-4.3.8
>Reporter: Ashok Kumar
>Priority: Major
> Attachments: nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.logalert("xss")
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (FELIX-6127) escape nameHint for configuration listing
[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ashok Kumar updated FELIX-6127:
---
Fix Version/s: webconsole-4.3.10
> escape nameHint for configuration listing
> --
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
> Components: Web Console
>Affects Versions: webconsole-4.3.8
>Reporter: Ashok Kumar
>Priority: Major
> Fix For: webconsole-4.3.10
>
> Attachments: nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.logalert("xss")
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (FELIX-6127) escape nameHint for configuration listing
[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836246#comment-16836246
]
Ashok Kumar commented on FELIX-6127:
Patch attached. Please review and merge
> escape nameHint for configuration listing
> --
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
> Components: Web Console
>Affects Versions: webconsole-4.3.8
>Reporter: Ashok Kumar
>Priority: Major
> Fix For: webconsole-4.3.10
>
> Attachments: nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.logalert("xss")
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (FELIX-6127) escape nameHint for configuration listing
Ashok Kumar created FELIX-6127:
--
Summary: escape nameHint for configuration listing
Key: FELIX-6127
URL: https://issues.apache.org/jira/browse/FELIX-6127
Project: Felix
Issue Type: Bug
Reporter: Ashok Kumar
Attachments: nameHint_escape_tags.patch
There is a XSS vulnerability in configMgr where adding a html or script tag in
log file name. Since this console is only accessible to admin, threat rating of
this vulnerability is very low.
*Steps to reproduce :*
* In /system/console/configMgr, find Apache Sling Logging Logger Configuration
* Edit one of the logs, e.g logs/auditlog.log
* Change to logs/auditlog.logalert("xss")
* Click Save and refresh
* Scroll to the configuration and see alert pop up injected
*Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (FELIX-6127) escape nameHint for configuration listing
[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ashok Kumar updated FELIX-6127:
---
Attachment: nameHint_escape_tags.patch
> escape nameHint for configuration listing
> --
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
>Reporter: Ashok Kumar
>Priority: Major
> Attachments: nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.logalert("xss")
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (FELIX-6127) escape nameHint for configuration listing
[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ashok Kumar updated FELIX-6127:
---
Component/s: Web Console
> escape nameHint for configuration listing
> --
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
> Components: Web Console
>Reporter: Ashok Kumar
>Priority: Major
> Attachments: nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.logalert("xss")
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (FELIX-6128) Issue in the bundle Web Console
Antonio Sanso created FELIX-6128: Summary: Issue in the bundle Web Console Key: FELIX-6128 URL: https://issues.apache.org/jira/browse/FELIX-6128 Project: Felix Issue Type: Bug Components: Web Console Reporter: Antonio Sanso Attachments: image002.png, image003.png RunningSnail reported an XSS issue in the bundle Web Console. After logining,I visit the page whose url is http://127.0.0.1:8080/system/console/bundles. Then I click "Install/Update" and before uploading a jar file,I change the content of the "MANIFEST.MF" in the jar file. So when an admin visit the page,he will be affected by the stored xss. See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Antonio Sanso updated FELIX-6128: - Attachment: image003.png image002.png > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Priority: Major > Attachments: image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ashok Kumar updated FELIX-6128: --- Attachment: escape_bundle_name.patch > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836289#comment-16836289 ] Ashok Kumar commented on FELIX-6128: Attached patch for escaping the bundle name - escape_bundle_name.patch. CC: [~asanso], [~karlpauls] > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836301#comment-16836301 ] Ashok Kumar commented on FELIX-6128: [~asanso] , [~karlpauls] , Should we escape the Manifest Headers (either selectively for Name or for all header values) coming from listHeaders [0] ? These are being used on bundles' detailed view [ [0] [https://github.com/apache/felix/blob/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L1158-L1175] > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Karl Pauls reassigned FELIX-6128: - Assignee: Karl Pauls > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Assignee: Karl Pauls >Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836303#comment-16836303 ] Karl Pauls commented on FELIX-6128: --- Hi [~ashokpanghal], thanks a lot for looking into this - yes, I think we should have a look at all headers and see where it makes sense to escape them. > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (FELIX-6127) escape nameHint for configuration listing
[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls reassigned FELIX-6127:
-
Assignee: Karl Pauls
> escape nameHint for configuration listing
> --
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
> Components: Web Console
>Affects Versions: webconsole-4.3.8
>Reporter: Ashok Kumar
>Assignee: Karl Pauls
>Priority: Major
> Fix For: webconsole-4.3.10
>
> Attachments: nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.logalert("xss")
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[RESULT] [VOTE] Release Apache Felix SCR Generator 1.18.2, SCR Bnd Plugin 1.9.4, Maven SCR Plugin 1.26.2
Hi, The vote has passed with the following result : +1 (binding): Carsten Ziegeler, Raymond Auge, Jean-Baptiste Onofré +1 (non binding): Stefan Seifert => @any PMC member: please copy this release to the Felix dist directory. I will promote the artifacts to the central Maven repository and update the felix site. stefan
[jira] [Closed] (FELIX-6122) SCR Tooling: Update to ASM 7.1 for Java 11 compatibility
[ https://issues.apache.org/jira/browse/FELIX-6122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert closed FELIX-6122. - > SCR Tooling: Update to ASM 7.1 for Java 11 compatibility > > > Key: FELIX-6122 > URL: https://issues.apache.org/jira/browse/FELIX-6122 > Project: Felix > Issue Type: Improvement > Components: SCR Tooling >Affects Versions: maven-scr-plugin 1.26.0, scr generator 1.18.0, scr bnd > plugin 1.9.2 >Reporter: Stefan Seifert >Assignee: Stefan Seifert >Priority: Major > Fix For: scr bnd plugin 1.9.4, scr generator 1.18.2, > maven-scr-plugin 1.26.2 > > > the BND tooling is currently based on ASM 5.1, which does not support class > files generated by newer java versions (e.g. Java 11). Updating to ASM 7.1 > fixes this. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (FELIX-6125) maven-bundle-plugin changelog.txt out of date
[ https://issues.apache.org/jira/browse/FELIX-6125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert reassigned FELIX-6125: - Assignee: Stefan Seifert > maven-bundle-plugin changelog.txt out of date > - > > Key: FELIX-6125 > URL: https://issues.apache.org/jira/browse/FELIX-6125 > Project: Felix > Issue Type: Bug > Components: Documentation >Affects Versions: maven-bundle-plugin-4.2.0 >Reporter: Ludwig Schmidt >Assignee: Stefan Seifert >Priority: Major > > The maven-bundle-plugin changelog only includes changes up to version 3.5.0. > See: > [https://svn.apache.org/repos/asf/felix/releases/maven-bundle-plugin-4.2.0/changelog.txt] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (FELIX-6125) maven-bundle-plugin changelog.txt out of date
[ https://issues.apache.org/jira/browse/FELIX-6125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert updated FELIX-6125: -- Priority: Trivial (was: Major) Issue Type: Task (was: Bug) > maven-bundle-plugin changelog.txt out of date > - > > Key: FELIX-6125 > URL: https://issues.apache.org/jira/browse/FELIX-6125 > Project: Felix > Issue Type: Task > Components: Documentation >Affects Versions: maven-bundle-plugin-4.2.0 >Reporter: Ludwig Schmidt >Assignee: Stefan Seifert >Priority: Trivial > > The maven-bundle-plugin changelog only includes changes up to version 3.5.0. > See: > [https://svn.apache.org/repos/asf/felix/releases/maven-bundle-plugin-4.2.0/changelog.txt] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Resolved] (FELIX-6125) maven-bundle-plugin changelog.txt out of date
[ https://issues.apache.org/jira/browse/FELIX-6125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert resolved FELIX-6125. --- Resolution: Fixed Completed: At revision: 1858996 i've updated the changelogs for 4.0, 4.1 and 4.2 > maven-bundle-plugin changelog.txt out of date > - > > Key: FELIX-6125 > URL: https://issues.apache.org/jira/browse/FELIX-6125 > Project: Felix > Issue Type: Bug > Components: Documentation >Affects Versions: maven-bundle-plugin-4.2.0 >Reporter: Ludwig Schmidt >Assignee: Stefan Seifert >Priority: Major > > The maven-bundle-plugin changelog only includes changes up to version 3.5.0. > See: > [https://svn.apache.org/repos/asf/felix/releases/maven-bundle-plugin-4.2.0/changelog.txt] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ashok Kumar updated FELIX-6128: --- Attachment: escape_bundle_name_and_other_manifest_headers.patch > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Assignee: Karl Pauls >Priority: Major > Attachments: escape_bundle_name.patch, > escape_bundle_name_and_other_manifest_headers.patch, image002.png, > image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836289#comment-16836289 ] Ashok Kumar edited comment on FELIX-6128 at 5/9/19 12:58 PM: - Attached patch for escaping the bundle name - escape_bundle_name.patch - DELETED CC: [~asanso], [~karlpauls] was (Author: ashokpanghal): Attached patch for escaping the bundle name - escape_bundle_name.patch. CC: [~asanso], [~karlpauls] > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Assignee: Karl Pauls >Priority: Major > Attachments: escape_bundle_name_and_other_manifest_headers.patch, > image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ashok Kumar updated FELIX-6128: --- Attachment: (was: escape_bundle_name.patch) > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Assignee: Karl Pauls >Priority: Major > Attachments: escape_bundle_name_and_other_manifest_headers.patch, > image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FELIX-6128) Issue in the bundle Web Console
[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836360#comment-16836360 ] Ashok Kumar commented on FELIX-6128: New patch - escape_bundle_name_and_other_manifest_headers.patch , which takes care of manifest headers listing along with bundle name. > Issue in the bundle Web Console > --- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console >Reporter: Antonio Sanso >Assignee: Karl Pauls >Priority: Major > Attachments: escape_bundle_name_and_other_manifest_headers.patch, > image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FELIX-6125) maven-bundle-plugin changelog.txt out of date
[ https://issues.apache.org/jira/browse/FELIX-6125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836362#comment-16836362 ] Stefan Seifert commented on FELIX-6125: --- i've also uploaded the latest plugin documentation to http://felix.apache.org/components/bundle-plugin/ > maven-bundle-plugin changelog.txt out of date > - > > Key: FELIX-6125 > URL: https://issues.apache.org/jira/browse/FELIX-6125 > Project: Felix > Issue Type: Task > Components: Documentation >Affects Versions: maven-bundle-plugin-4.2.0 >Reporter: Ludwig Schmidt >Assignee: Stefan Seifert >Priority: Trivial > > The maven-bundle-plugin changelog only includes changes up to version 3.5.0. > See: > [https://svn.apache.org/repos/asf/felix/releases/maven-bundle-plugin-4.2.0/changelog.txt] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (FELIX-6106) Regression after a change in maven-bundle-plugin:4.2.0 related to non-existing files
[
https://issues.apache.org/jira/browse/FELIX-6106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Seifert reassigned FELIX-6106:
-
Assignee: Stefan Seifert
as far a i see the problem was introduced one commit before:
https://github.com/apache/felix/commit/e12e94cb84d99e4613a4a57c3655bc7c6095140c
it seems the collection of class path items with this refactoring includes also
items that does not exist yet (in this case the target/classes folder - because
in this case this project produced no classes at all but combines only
artifacts from dependencies).
> Regression after a change in maven-bundle-plugin:4.2.0 related to
> non-existing files
>
>
> Key: FELIX-6106
> URL: https://issues.apache.org/jira/browse/FELIX-6106
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-4.2.0
>Reporter: Martin Grigorov
>Assignee: Stefan Seifert
>Priority: Major
>
> Commit
> https://github.com/apache/felix/commit/9487647dc2fa8734a0ab4a113b0b93ec281a2594
> introduced with FELIX-6074 leads to an error in one of our projects:
> {code}
> INFO] --- maven-bundle-plugin:4.2.0:bundle (default-bundle) @
> wicketstuff-bundle ---
> [ERROR] An internal error occurred
> java.lang.IllegalArgumentException: A Jar can only accept a file or
> directory that exists:
> /home/solomax/work/wicketstuff-core/wicket-bundle-parent/wicket-bundle/target/classes
> at aQute.bnd.osgi.Jar. (Jar.java:124)
> at aQute.bnd.osgi.Jar. (Jar.java:172)
> at org.apache.felix.bundleplugin.BundlePlugin.getOSGiBuilder
> (BundlePlugin.java:603)
> {code}
> The code of the module can be found at
> https://github.com/wicketstuff/core/tree/master/wicket-bundle-parent/wicket-bundle.
> It is mostly Maven code (pom.xml and assembly.xml) that generates an OSGi
> compatible bundle.
> After upgrading to maven-bundle-plugin:4.2.0 it started failing with the
> above error.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Resolved] (FELIX-6106) Regression after a change in maven-bundle-plugin:4.2.0 related to non-existing files
[
https://issues.apache.org/jira/browse/FELIX-6106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Seifert resolved FELIX-6106.
---
Resolution: Fixed
Fix Version/s: maven-bundle-plugin-4.2.2
Completed: At revision: 1859009
i've implemented a fix for the problem.
can you confirm it works as expected with 4.2.1-SNAPSHOT?
> Regression after a change in maven-bundle-plugin:4.2.0 related to
> non-existing files
>
>
> Key: FELIX-6106
> URL: https://issues.apache.org/jira/browse/FELIX-6106
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-4.2.0
>Reporter: Martin Grigorov
>Assignee: Stefan Seifert
>Priority: Major
> Fix For: maven-bundle-plugin-4.2.2
>
>
> Commit
> https://github.com/apache/felix/commit/9487647dc2fa8734a0ab4a113b0b93ec281a2594
> introduced with FELIX-6074 leads to an error in one of our projects:
> {code}
> INFO] --- maven-bundle-plugin:4.2.0:bundle (default-bundle) @
> wicketstuff-bundle ---
> [ERROR] An internal error occurred
> java.lang.IllegalArgumentException: A Jar can only accept a file or
> directory that exists:
> /home/solomax/work/wicketstuff-core/wicket-bundle-parent/wicket-bundle/target/classes
> at aQute.bnd.osgi.Jar. (Jar.java:124)
> at aQute.bnd.osgi.Jar. (Jar.java:172)
> at org.apache.felix.bundleplugin.BundlePlugin.getOSGiBuilder
> (BundlePlugin.java:603)
> {code}
> The code of the module can be found at
> https://github.com/wicketstuff/core/tree/master/wicket-bundle-parent/wicket-bundle.
> It is mostly Maven code (pom.xml and assembly.xml) that generates an OSGi
> compatible bundle.
> After upgrading to maven-bundle-plugin:4.2.0 it started failing with the
> above error.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Re: [RESULT] [VOTE] Release Apache Felix SCR Generator 1.18.2, SCR Bnd Plugin 1.9.4, Maven SCR Plugin 1.26.2
Copied them to dist directory Carsten Stefan Seifert wrote Hi, The vote has passed with the following result : +1 (binding): Carsten Ziegeler, Raymond Auge, Jean-Baptiste Onofré +1 (non binding): Stefan Seifert => @any PMC member: please copy this release to the Felix dist directory. I will promote the artifacts to the central Maven repository and update the felix site. stefan -- Carsten Ziegeler Adobe Research Switzerland cziege...@apache.org
[jira] [Commented] (FELIX-6106) Regression after a change in maven-bundle-plugin:4.2.0 related to non-existing files
[
https://issues.apache.org/jira/browse/FELIX-6106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836885#comment-16836885
]
Martin Grigorov commented on FELIX-6106:
Thank you, [~sseif...@pro-vision.de]!
I've just tested with 4.2.1-SNAPSHOT and everything looks fine!
Why the "Fix version" says 4.2.2 ? I expect the release of 4.2.1-SNAPSHOT will
be 4.2.1.
P.S. I've used
{code}
Apache Nexus
https://repository.apache.org/content/repositories/snapshots/
false
true
{code}
> Regression after a change in maven-bundle-plugin:4.2.0 related to
> non-existing files
>
>
> Key: FELIX-6106
> URL: https://issues.apache.org/jira/browse/FELIX-6106
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-4.2.0
>Reporter: Martin Grigorov
>Assignee: Stefan Seifert
>Priority: Major
> Fix For: maven-bundle-plugin-4.2.2
>
>
> Commit
> https://github.com/apache/felix/commit/9487647dc2fa8734a0ab4a113b0b93ec281a2594
> introduced with FELIX-6074 leads to an error in one of our projects:
> {code}
> INFO] --- maven-bundle-plugin:4.2.0:bundle (default-bundle) @
> wicketstuff-bundle ---
> [ERROR] An internal error occurred
> java.lang.IllegalArgumentException: A Jar can only accept a file or
> directory that exists:
> /home/solomax/work/wicketstuff-core/wicket-bundle-parent/wicket-bundle/target/classes
> at aQute.bnd.osgi.Jar. (Jar.java:124)
> at aQute.bnd.osgi.Jar. (Jar.java:172)
> at org.apache.felix.bundleplugin.BundlePlugin.getOSGiBuilder
> (BundlePlugin.java:603)
> {code}
> The code of the module can be found at
> https://github.com/wicketstuff/core/tree/master/wicket-bundle-parent/wicket-bundle.
> It is mostly Maven code (pom.xml and assembly.xml) that generates an OSGi
> compatible bundle.
> After upgrading to maven-bundle-plugin:4.2.0 it started failing with the
> above error.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
